LMD 1.4.1: Delivering on your requests

The release of LMD 1.4.1 is now live and with it comes a few new features. In this small update, I have tried to deliver on on a couple of common feature requests from users which were in-line with my development goals. That said, right to it…

The biggest change has come in the form of what has been dubbed public mode scanning. This is where non-root users can execute malware scans. For this to work, a new quarantine, session and temporary path directory tree needed to be created that users had write access under. This presented some challenges and in the early incarnation of this feature, the pub/ directory tree created for this feature was set world writable. The more I worked with the ideas around this feature the more I hated it, I simply could not impose upon users a world writable path. Then I flirted with the idea of simply creating the directory tree and if users wanted the feature they had to set it mode 777 themselves, though this was a fair trade it still felt like a lazy solution.

In the end, the solution I came up with was to populate the new pub directory tree with user paths based on passwd users and explicitly set ownership to each user for their pub/username path (–mkpubpaths). This meant that something was needed to regularly update the pub directory tree for new users and as such a cronjob was added that runs every 10 minutes to create said paths (cron.d/maldet_pub). This feature is controlled by conf.maldet variable public_scan which is disabled by default and when in a disabled state the cronjob simply does nothing along with user initiated scans exiting with an error that the feature is not currently enabled.

Supplementing the public mode scanning feature is the support for mod_security2 upload scanning which next to user initiated scans was one of the most requested features recently. Although the inotify real-time monitoring still works very well, it is not an option in some environments which makes mod_security2 upload scanning highly desirable. Conveniently, the only obstacle for upload scanning was simply that LMD did not support user initiated scans and with the introduction of public mode scanning there was only a few changes required to fully integrate it. That being the creation of a validation script for mod_security2’s inspectFile hook which returns an approved or denied status for uploaded files based on malware hits. This script was created as modsec.sh and is located in the LMD installation path. Full details on public mode and mod_security2 upload scanning are included in the README file.

Another highly requested feature is the ability to redefine configuration variables on the CLI on a per execution basis. This has been added through the -co|–config-option CLI flags. This was primarily requested by those creating integration interfaces for LMD along with those who create custom scan cronjobs. Likewise, this proved useful in the creation of the mod_security2 validation script. The usage of this feature is straight forward, simply append a comma spaced list of variables you would like to redefine in the format of VAR=VALUE.

For example, to change the email address for a specific scan and enable quarantining of hits:maldet –config-option [email protected],quar_hits=1

Effectively, any LMD variable located in conf.maldet or internal.conf can be redefined in this way.

Smaller changes include added support for Plesk in the cron.daily scans, email_ignore_clean conf.maldet variable that allows for reports where all hits are cleaned to be ignored and improved accuracy of (gz)base64 injection signatures to reduce false positives.

That covers the notable changes in this release. Although this isn’t as big or feature packed of an update as the last couple of releases, I am confident it will add to the maturity and utility of the project for all users. Please check the CHANGELOG and README files for further details. This update will push out automatically to LMD installations with the default daily cronjob enabled or you can manually update using the ‘maldet -d’ command.

2 Replies to “LMD 1.4.1: Delivering on your requests”

Not sure how to contribute/help LMD without a forum for users to submit their cases, but here is a post I made on interworx forum where a hacker injected a PHP malware redirect into our apache pear.ini – without SSH access.

Running LMD on a full system scan did not find this.

Not sure how they got in, but the post details the code and the filenames. Hope you can add this to LMD.